From c1ebd31e9371838abf585230a6be93419c0f2cc9 Mon Sep 17 00:00:00 2001
From: "rniwa@webkit.org"
 <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 17 Oct 2017 05:52:38 +0000
Subject: [PATCH] Assert that Node::insertedInto doesn't fire an event
 https://bugs.webkit.org/show_bug.cgi?id=178376 <rdar://problem/35022857>

Reviewed by Daniel Bates.

Fixed the assertion in notifyChildNodeInserted since this function MUST NOT dispatch an event,
and moved a bunch of event-dispatching code from Node::insertedInto into Node::finishedInsertingSubtree.

No new tests since the existing tests cover the behavioral change.

* dom/ContainerNodeAlgorithms.cpp:
(WebCore::notifyChildNodeInserted): Fixed the assertion.
* dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::insertedInto):
(WebCore::ProcessingInstruction::finishedInsertingSubtree): Extracted from insertedInto since
checkStyleSheet can dispatch an event.
* dom/ProcessingInstruction.h:
* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::insertedInto):
(WebCore::HTMLBodyElement::finishedInsertingSubtree): Extracted from insertedInto since
setIntegralAttribute could dispatch DOMAttrModified synchronously.
* html/HTMLBodyElement.h:


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@223458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/WebCore/ChangeLog                       | 26 ++++++++++++++++++++++++++
 Source/WebCore/dom/ContainerNodeAlgorithms.cpp |  2 +-
 Source/WebCore/dom/ProcessingInstruction.cpp   |  6 +++++-
 Source/WebCore/dom/ProcessingInstruction.h     |  1 +
 Source/WebCore/html/HTMLBodyElement.cpp        | 11 ++++++++---
 Source/WebCore/html/HTMLBodyElement.h          |  1 +
 6 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index e147274..2237bff 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,29 @@
+2017-10-16  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Assert that Node::insertedInto doesn't fire an event
+        https://bugs.webkit.org/show_bug.cgi?id=178376
+        <rdar://problem/35022857>
+
+        Reviewed by Daniel Bates.
+
+        Fixed the assertion in notifyChildNodeInserted since this function MUST NOT dispatch an event,
+        and moved a bunch of event-dispatching code from Node::insertedInto into Node::finishedInsertingSubtree.
+
+        No new tests since the existing tests cover the behavioral change.
+
+        * dom/ContainerNodeAlgorithms.cpp:
+        (WebCore::notifyChildNodeInserted): Fixed the assertion.
+        * dom/ProcessingInstruction.cpp:
+        (WebCore::ProcessingInstruction::insertedInto):
+        (WebCore::ProcessingInstruction::finishedInsertingSubtree): Extracted from insertedInto since
+        checkStyleSheet can dispatch an event.
+        * dom/ProcessingInstruction.h:
+        * html/HTMLBodyElement.cpp:
+        (WebCore::HTMLBodyElement::insertedInto):
+        (WebCore::HTMLBodyElement::finishedInsertingSubtree): Extracted from insertedInto since
+        setIntegralAttribute could dispatch DOMAttrModified synchronously.
+        * html/HTMLBodyElement.h:
+
 2017-10-16  Chris Dumez  <cdumez@apple.com>
 
         ServiceWorkerRegistration should subclass RefCounted<>
diff --git a/Source/WebCore/dom/ContainerNodeAlgorithms.cpp b/Source/WebCore/dom/ContainerNodeAlgorithms.cpp
index ffb201a..4e3ea3b 100644
--- a/Source/WebCore/dom/ContainerNodeAlgorithms.cpp
+++ b/Source/WebCore/dom/ContainerNodeAlgorithms.cpp
@@ -85,7 +85,7 @@ static void notifyNodeInsertedIntoTree(ContainerNode& insertionPoint, Node& node
 
 void notifyChildNodeInserted(ContainerNode& insertionPoint, Node& node, NodeVector& postInsertionNotificationTargets)
 {
-    RELEASE_ASSERT(NoEventDispatchAssertion::isEventDispatchAllowedInSubtree(insertionPoint));
+    NoEventDispatchAssertion assertNoEventDispatch;
 
     InspectorInstrumentation::didInsertDOMNode(node.document(), node);
 
diff --git a/Source/WebCore/dom/ProcessingInstruction.cpp b/Source/WebCore/dom/ProcessingInstruction.cpp
index 0cab4e8..9ff35a4 100644
--- a/Source/WebCore/dom/ProcessingInstruction.cpp
+++ b/Source/WebCore/dom/ProcessingInstruction.cpp
@@ -280,8 +280,12 @@ Node::InsertionNotificationRequest ProcessingInstruction::insertedInto(Container
     if (!insertionPoint.isConnected())
         return InsertionDone;
     document().styleScope().addStyleSheetCandidateNode(*this, m_createdByParser);
+    return InsertionShouldCallFinishedInsertingSubtree;
+}
+
+void ProcessingInstruction::finishedInsertingSubtree()
+{
     checkStyleSheet();
-    return InsertionDone;
 }
 
 void ProcessingInstruction::removedFrom(ContainerNode& insertionPoint)
diff --git a/Source/WebCore/dom/ProcessingInstruction.h b/Source/WebCore/dom/ProcessingInstruction.h
index d154433..a50a2e5 100644
--- a/Source/WebCore/dom/ProcessingInstruction.h
+++ b/Source/WebCore/dom/ProcessingInstruction.h
@@ -59,6 +59,7 @@ private:
     Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
 
     InsertionNotificationRequest insertedInto(ContainerNode&) override;
+    void finishedInsertingSubtree() override;
     void removedFrom(ContainerNode&) override;
 
     void checkStyleSheet();
diff --git a/Source/WebCore/html/HTMLBodyElement.cpp b/Source/WebCore/html/HTMLBodyElement.cpp
index b1ee9c4..0133c88 100644
--- a/Source/WebCore/html/HTMLBodyElement.cpp
+++ b/Source/WebCore/html/HTMLBodyElement.cpp
@@ -199,7 +199,14 @@ Node::InsertionNotificationRequest HTMLBodyElement::insertedInto(ContainerNode&
     auto* ownerElement = document().ownerElement();
     if (!is<HTMLFrameElementBase>(ownerElement))
         return InsertionDone;
-    
+
+    return InsertionShouldCallFinishedInsertingSubtree;
+}
+
+void HTMLBodyElement::finishedInsertingSubtree()
+{
+    auto* ownerElement = document().ownerElement();
+    RELEASE_ASSERT(is<HTMLFrameElementBase>(ownerElement));
     auto& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
 
     // Read values from the owner before setting any attributes, since setting an attribute can run arbitrary
@@ -211,8 +218,6 @@ Node::InsertionNotificationRequest HTMLBodyElement::insertedInto(ContainerNode&
         setIntegralAttribute(marginwidthAttr, marginWidth);
     if (marginHeight != -1)
         setIntegralAttribute(marginheightAttr, marginHeight);
-
-    return InsertionDone;
 }
 
 bool HTMLBodyElement::isURLAttribute(const Attribute& attribute) const
diff --git a/Source/WebCore/html/HTMLBodyElement.h b/Source/WebCore/html/HTMLBodyElement.h
index a736393..698b47d 100644
--- a/Source/WebCore/html/HTMLBodyElement.h
+++ b/Source/WebCore/html/HTMLBodyElement.h
@@ -45,6 +45,7 @@ private:
     void collectStyleForPresentationAttribute(const QualifiedName&, const AtomicString&, MutableStyleProperties&) final;
 
     InsertionNotificationRequest insertedInto(ContainerNode&) final;
+    void finishedInsertingSubtree() final;
 
     bool isURLAttribute(const Attribute&) const final;
     
-- 
1.8.3.1